crime – Page 406 – STE WILLIAMS

Facebook: we logged 100x more Instagram plaintext passwords than we thought

library
crime | hacking | security

About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades.

The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash used for verifying that your password was correct.

Well, it’s just updated its March 2019 admission to state that the number of plaintext passwords found scattered round its systems in various logfiles is greater that originally thought.

Back in March, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users, but yesterday the company updated its bulletin to say:

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.

Simply put, the chance that your Instagram password was stored somewhere in a logfile, somewhere in Facebook’s network, turns out to be 100 times greater than you might have thought last month.

Should you be worried?

We didn’t get an alert about either our Instagram or Facebook password having been affected back in March 2019, but we followed our own advice and changed our password anyway, so we’re not worried about this new announcement.

If anyone at Facebook had been able to retrieve our password from somewhere in Facebook’s sea of data – and we suspect they’d have gone directly after all our other data anyway, rather than bothering to log in with our account – then that old password is valueless now.

We’ve also had two-factor authentication (2FA) turned on for ages, and we are in the habit of logging out formally from both Facebook and Instagram, on both our laptop and our mobile phone, on a regular basis.

Regular logouts are mildly annoying, given that we have to log back in using both our password and 2FA code, but we think it’s a small price to pay to make life harder for the crooks.

It also gets us in the habit of checking through the “who logged in from where and on which device” logs regularly, which gives us a better chance of spotting wrongdoing against our account.

So, once again, we’re not panicking, and we’re not advising you to close either your Facebook or your Instagram account – at least, not on this basis alone.

To repeat our advice from last time:

Should you close your Instagram account?

We can’t answer that for you.

Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.

(For what it’s worth, we’re not closing ours.)

Should your change your Instagram password?

Why not?

It’s highly unlikely that any passwords were acquired by any crooks as a result of this, but if any plaintext passwords do end up in the wrong hands, you can be sure that the crooks will try them out right away.

So our advice is: don’t wait for Facebook or Instagram to warn you – change your password now.

(We already changed ours, back in March 2019 when the first warning came out.)

Should you turn on two-factor authentication?

Yes.

We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.

(We did it it ages ago.)

Watch our advice video

Here’s the special edition of Naked Security Live that we presented back in March 2019 – all the advice we give in this video is still relevant, and covers a range of questions, including:

What happened?
Was this a blunder or was Facebook being deliberately sneaky?
Should I close my account because of this?
What steps should I take right now?

(Watch directly on YouTube if the video won’t play here.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rYKUvb--2D4/

Third-Party Cyber-Risk by the Numbers

library
crime | hacking | security

Recent stats show that the state of third-party cyber risk and vendor risk management remains largely immature at most organizations.

Image Source: Adobe Stock (BillionPhotos.com)

Make no mistake: Even the most technologically mature organizations are struggling to keep in check the rising force of third-party cyber-risk. Recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, bring home the fact that third parties can introduce tremendous risk to business operations, data security, and even the technical integrity of products and services.

Data shows that enterprises of all types are still way behind on instituting the governance and technology to wrap their arms around third-party risks, be they in the software supply chain, access governance, or data handling. And, unfortunately, some experts say the industry isn’t moving the needle on third-party risk.

“The overall maturity of vendor risk management programs is virtually unchanged in the face of an increasingly challenging external risk and regulatory environment,” wrote experts from Protiviti in the company’s fifth annual vendor risk management survey.

For this slide show, Dark Reading took a look at data in that report as well as a number of others on third-party cyber-risk to offer insight into the current attitudes around the problem, the scope of access afforded to third parties, and the maturity level of current vendor risk management practices.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio

Article source: https://www.darkreading.com/risk/third-party-cyber-risk-by-the-numbers/d/d-id/1334443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why We Need a ‘Cleaner Internet’

library
crime | hacking | security

By blocking threats and attacks nearer to their sources, cybersecurity pros could help turn the connected world into a safer place for all.

If we discover a water leak in our homes, we don’t throw a large bucket underneath and hope the problem goes away. We try to stop the damage by finding the source of the problem. But when dealing with threats in the connected world, we seem to take the former approach, deploying more security tools and spending more money – and all the while the risk of damage continues to increase.

In this current paradigm, the Internet is neutral and, in fact, largely passive. Unless the traffic related to an attack directly impacts a network, causing congestion or other issues, it is simply delivered as equitably as “good” traffic.

In midsize and large companies, millions of dollars have been spent deploying multiple layers of security technology (multiple buckets) and putting the right people and processes in place (to empty the buckets). However, threats are becoming more sophisticated and harder to defend against amid a growing population of connected infrastructure that is poorly defended and vulnerable – namely, the Internet of Things (IoT).

The number of devices connected to the Internet is expected to grow exponentially – around 29 billion connected devices are forecast by 2022, of which around 18 billion will be related to IoT. As we all know, many of these devices were not designed with security in mind. It is also common knowledge that bad actors have already used IoT devices to launch large-scale distributed denial-of-service attacks for cryptojacking and for man-in-the-middle data theft. Initially, dictionaries of default passwords and network scans were used to build out large botnets of temporarily (until reboot) compromised devices. Now more sophisticated vulnerabilities, and a wider range of passwords, are being used to more permanently take control of a broader range of devices. And this is just the beginning.

Putting appropriate defenses in place to defend against targeted threats is important and will always be required. But what if the networks that make up the Internet started to block threats and attacks nearer to their sources – if vulnerable infrastructure was identified and protected proactively? Much of the “noise” we have to deal with in the security would diminish. We’d cut down on the complexity in the security stacks deployed by well-defended organizations, reducing cost and risk. The shortage of skilled security personnel would become less of an issue, as well. In short, we’d be making it harder and more costly for attackers to launch attacks, shifting the balance away from the target.

In doing so, we’d also be turning the connected world into a cleaner and safer place for all. Returning to our water leak analogy, we’d be reducing our risk, and the cost of buying buckets, by turning off the water to the exterior taps before the frost causes them to burst.

There is a growing interest in this proactive approach from the cybersecurity community, including the federal government. In fact, the US Department of Defense stated in its Cyber Strategy Summary from last September: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”

Network operators are also increasingly concerned with the implication of potential security incidents made possible by the explosion of unprotected infrastructure and are giving consideration to this pre-emptive approach. Yet this interest is not entirely altruistic. The concept of a “cleaner Internet” gives network providers an opportunity to generate revenue by providing a broader set of security services to a broader range of consumers and organizations.

While the global managed security services market is growing rapidly, most current offerings are aimed at large, sophisticated organizations that know and understand exactly the type of capabilities they need. Expanding security services to a broader range of customers, even at a relatively low cost, could yield significant returns when tens or hundreds of thousands of businesses are considered.

The next five years are sure to see a directed movement by the industry to invest in a cleaner Internet. Expect to see operators delivering new services that offer more proactive capabilities to deal with threats before they reach their target – enabling the continued expansion of the connected world while reducing our overall risk and cost.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer at Arbor Networks, Darren works across the research, strategy, and pre-sales aspects of Arbor’s traffic monitoring, threat … View Full Bio

Article source: https://www.darkreading.com/endpoint/why-we-need-a-cleaner-internet-/a/d-id/1334442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Free Princeton Application Provides IoT Traffic Insight

library
crime | hacking | security

The application developed by a research group allows users to spot possible IoT security problems.

A project at Princeton University is studying IoT devices used in homes and, in the process, has developed a tool that can give individuals a great deal of insight into the IoT activity going on all around them.

The Princeton IoT Inspector is an application that uses ARP spoofing to find and monitor network devices in a building. After launching the MacOS application (Windows and Linux versions are planned for the near future), the Inspector uses a Chrome or Firefox browser window to allow the user to select which devices to monitor and see the results of the monitoring.

Inspector takes an inventory of IoT devices, allowing users to see whether there are any “hidden” IoT devices on their networks and in their buildings. Monitoring the traffic patterns and destination points for data from those devices will allow users to see where the information is going — and they can see if those destinations change, which could indicat a possible hack into the system. In addition, Inspector shows whether the data from a given device is encrypted and whether that encryption is based on newer, more secure, techniques.

In return for the information, data is uploaded to the Princeton research team. The team, led by Danny Y. Huang, PhD, has released the source code on GitHub, and allows a user to download or delete their data at any time.

For more, read here and here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/free-princeton-application-provides-iot-traffic-insight/d/d-id/1334483?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

APT34 Toolset, Victim Data Leaked via Telegram

library
crime | hacking | security

For the last month, an unknown individual or group has been sharing data and hacking tools belonging to Iranian hacker group APT34.

Hacking tools, victim data, and identities of the elite Iranian hacker group APT34, also known as OilRig and Helix Kitten, have been leaked on Telegram for the past month, researchers report.

An unknown victim or group under the alias Lab Dookhtegan has been sharing APT34’s hacking tools, as well as data belonging to victims, on Telegram since March 2019. Data exposed included the source code of hacking tools, details on hacked victims (username and password combinations, internal server data), and information on APT34’s operations, including web shells and access details on servers from businesses and governments around the world.

Researchers with Chronicle, the cybersecurity division under Alphabet, confirmed the leaked data belongs to APT34. Information came from 66 global victims and indicates a focus on Middle Eastern government agencies, telcos, and transportation firms in addition to organizations based in Asia, researchers report. The data dump is seemingly intended to shame APT34 and expose their targets and tools so they have to build new ones to continue running.

Brandon Levene, head of applied intelligence at Chronicle, says this may end up happening. “It’s likely this group will alter their toolset in order to maintain operational status,” he wrote in a statement. “There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use.”

Russia Hacked Clinton’s Computers Five Hours After Trump’s Call

library
crime | hacking | security

Mueller report finds that in July 2016, after then-candidate Donald Trump publicly called for Russia to “find the 30,000 emails,” Russian agents targeted Hillary Clinton’s personal office with cyberattacks.

While the Mueller report did not find evidence that Donald Trump or his campaign knowingly coordinated with Russia to target the computers and data of Hillary Clinton’s campaign during the 2016 US presidential election, the investigation did show that both sides were willing to reap the benefits of each other’s actions.

One new detail included in the report, released April 18 by the US Department of Justice, highlighted the significance of the symbiotic relationship. On July 27, 2016, within five hours of then-candidate Trump’s call for Russia to “find the 30,000 e-mails that are missing,” officers of the Russian Main Intelligence Directorate of the General Staff (GRU) targeted Clinton’s personal office for the first time, attempting to compromise 15 nonpublic accounts.

Previous details on Russia’s activities during the run-up to the 2016 election, released as part of a 2018 indictment and charging documents against 12 GRU members, did not include the close link between the actions of the Trump campaign and Russia cyber activities.

In the report, special counsel Robert S. Mueller III specifically acknowledged the relationship but concluded it did not amount to knowing coordination.

“Although the investigation established that the Russian government perceived it would benefit from a Trump presidency and worked to secure that outcome, and that the Campaign expected it would benefit electorally from information stolen and released through Russian efforts, the investigation did not establish that members of the Trump Campaign conspired or coordinated with the Russian government in its election interference activities,” the report stated.

The redacted 448-page Mueller report — or, more officially, the “Report On The Investigation Into Russian Interference In The 2016 Presidential Election” — concludes that two Russian operations directly benefited the Trump campaign and detracted from the Clinton campaign during the 2016 election cycle.

In the first operation, the Internet Research Agency (IRA), based in St. Petersburg, Russia, and funded by a Russian oligarch, created a “social media campaign designed to provoke and amplify political discord in the United States,” eventually evolving from “a generalized program designed in 2014 and 2015 to undermine the U.S. electoral system, to a targeted operation that by early 2016 favored candidate Trump and disparaged Clinton.” In some cases, IRA employees contacted members of the Trump campaign directly to coordinate political activities, but they did so “without revealing their Russian association,” the report found.

Much of the report’s details and conclusions regarding IRA interactions with the Trump campaign are redacted, citing potential harm to ongoing matters, one of the four categories that Attorney General William Barr stated he would use as a reason for redaction.

The second operation, conducted by Russia’s intelligence service, focused on hacking the computers and e-mail accounts of various officials in the Clinton campaign. The operatives targeted “hundreds of e-mail accounts” and stole “hundreds of thousands of documents” from Clinton campaign officials, releasing them through online personas, such as “DCLeaks” and “Guccifer 2.0,” and later WikiLeaks, according to the report. The operation began in March 2016; by April it had access to a variety of e-mail accounts and networks, including those of the Democratic Congressional Campaign Committee and Democratic National Committee.

The GRU later targeted the officials and administrators of US elections, as well as the technology firms responsible for making and managing election hardware and software, according to the report.

As the GRU released collections of e-mails from Democratic organizations and the Clinton campaign, the Trump campaign used the information to criticize Clinton. In particular, Clinton’s use of a personal e-mail server for government work, as well as her legal team’s deletion of e-mail messages they deemed to be nonwork-related, became significant rallying points for Republicans. Trump frequently called on Clinton to release the e-mail messages and for other parties to “find” the messages.

As Secretary of State from 2009 to 2013, Clinton used a personal e-mail server to a much greater extent than her predecessors. In 2013, a hacker known as “Guccifer” — whose handle would later be used as an alias for Russian intelligence operations — compromised the e-mail account of Sidney Blumenthal, an adviser to both Secretaries of State Colin Powell and Clinton, and publicly revealed Clinton’s personal e-mail server.

In 2014, as part of the aftermath of the investigation into US diplomats’ deaths in Benghazi, the US Department of State requested that Clinton and other former Secretaries of State submit any work-related e-mails. Clinton’s legal team identified 33,000 e-mails that fell within that category and deleted personal e-mail messages, according to testimony by James Comey, director of the FBI at the time.

The e-mail investigation came to a political head during a press conference on July 27, 2016, with Trump taking the unprecedented step of calling for a foreign country to take action.

“If Russia or China or any other country has those e-mails, I mean to be honest with you, I’d love to see ’em,” he said, later adding, “Russia, if you are listening, I hope you’re able to find the 30,000 e-mails that are missing. I think you will probably be rewarded mightily by our press.”

Within five hours of that statement, GRU operatives were attempting to hack into Clinton’s e-mail servers and nonpublic accounts, according to the Mueller report.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/russia-hacked-clintons-computers-five-hours-after-trumps-call/d/d-id/1334484?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Old-school cruel: Dodgy PDF email attachments enjoying a renaissance

library
crime | hacking | security

The last few months have seen a big increase in malware attacks using PDF email attachments, according to security firm SonicWall.

“Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said the outfit’s Bill Conner.

There’s nothing new in this, of course, but many recent attacks have relied on getting users to click links in emails leading to infected webpages instead of requiring them to open an attachment, as was traditional.

In many cases, targeted PDFs use zero-day exploits for browsers in order to increase the probability of a successful attack as on-the-ball businesses now patch their systems more quickly to protect against known exploits. Other attacks have been known to nick login details by tricking the user into opening malicious PDFs that use remote document loading mechanisms to capture and leak your credentials.

The infosec firm said its sandbox products had found 47,000 new attack variants using PDF attachments last year. This year they have detected over 73,000 new attacks in March alone – and more than 173,000 new variants altogether in the first quarter of 2019. The attacks were a mixture of actual malware and links to infected sites.

As t’was ever thus, the emails use social engineering strategies to offer promises of lucrative deals and pretend to be trusted sources to encourage people to click on the attached PDFs.

How a tax form kludge gifted the world 25 joyous years of PDF

SonicWall’s report naturally pushes its own security solutions for the issue, but that’s a notable uptick in PDF attacks nonetheless. The firm, which was bought by Dell in 2012 and then spun out four years later, sells hardware, software and cloud-based security products to small and medium firms and government agencies.

Martin Holste, cloud security CTO at FireEye, said in his company’s recent predictions report that the danger of email attack remains high and shows little sign of disappearing.

“Perhaps the number one thing for cloud security is email security, because phishing is just so hard to defend against. That’s the number one way that attackers are coming through, and we don’t expect that to change in 2019.”

FireEye expects social engineering coupled with email to be the most common form of attack, because it works – and the best defence is well-trained staff.

Wind the clock forward 12 years, and it seems not much has changed in the world of phishy malware-flingers. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/19/pdf_malware_warning/

We’ve read the Mueller report. Here’s what you need to know: ██ ██ ███ ███████ █████ ███ ██ █████ ████████ █████

library
crime | hacking | security

Analysis It’s 448 pages of which roughly 50 have been blacked out.

It demonstrates conclusively that the Russia government went to great lengths to try to sway or interfere with the 2016 US presidential election in favor of Donald Trump, or at least sow seeds of confusion, muddy the waters, and disrupt American political discourse.

It outlines in some detail how the Russians first attacked other Republican challengers and then focused their efforts on both pushing Trump’s appeal while doing everything they could to undermine Democratic candidate Hillary Clinton.

They did so by using and abusing social media networks, primarily Facebook and Twitter, to push and spread false and divisive information; the networks were oblivious.

It is, of course, the Mueller Report, a █████████ version of which was finally made available today, one month after it was provided to the US Department of Justice.

The headline is, of course, that Mueller did not think there was sufficient evidence to post a criminal charge of conspiracy between the █████████████ government and the █████████ Campaign. Reading through the report, however, two critical aspects emerge:

There is every reason to believe that given the chance, the █████████ Campaign would have conspired with Russia. █████████ ███████ himself clearly feels it was a possibility. And while he remained confident that his way of doing business was going to make it very hard for anyone to prove a conspiracy – in which he was proven right – he still went to significant lengths to block and stymie the investigation. When he learnt of the special counsel report, █████████ slumped in his chair and said, ‘Oh my God. This is terrible. This is the end of my presidency. I’m fucked.’
Given the extraordinary willingness of the █████████ Campaign to say and do things that would normally have hastened the end of a political campaign, it’s questionable whether a direct link between the █████████ government and the █████████ Campaign was needed and would have been worth the risk – at least at a campaigning rather than policy level. Leading figures in the █████████ Campaign actively and repeatedly reposted and retweeted obviously false information published online by █████████ intelligence agents through fake accounts. And when it came out that █████████ was trying to sway the election, the █████████ Campaign actively and publicly embraced their efforts because it was in their interests to do so. █████████ said at a press conference: “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing. I think you will probably be rewarded mightily by our press.” The subsequent theft and release of confidential emails from the Clinton Campaign through Wikileaks was the result of █████████ intelligence efforts.
███████ ████ ███████ ██████ ██ ███████ ███████████████ ███████ █████ █████ ██████ ████████ ████████ ██████████ ████████████ ██████████████████ ████ ██████████ █████████ ██ ███████████████████ █████ ████████████████ ████ ██████████ ███████ ███ ███████████████ ██████ ██████ ████████████████ ███████████████ █████ ███████ ████ ████ ███████████ ██████ ██████████████ ███████████████.

So that’s where we stand. What are some of the more intriguing details from the report? Let’s go through them.

Lies

There was an extraordinary amount of lying on the part of members of the █████████ Campaign. The immediate assumption is that they have something to hide – which in some cases they did – but Mueller was ultimately unable to find something so terrible that it was worth lying to a special counsel over.

Why did they lie so much and so extensively? Mueller is clearly confused by it – and he has a long career at the FBI behind him. The most likely answer is the same one as to why someone senior in a presidential campaign would retweet obvious false information and then go on TV and say with a straight face something that literally everybody knows to be false. It’s just the nature of the people that joined the campaign. █████████ is a compulsive liar; follow the leader.

Fake news and ███████████████

A big chunk of the report’s digging into Russian propaganda and fake news efforts are █████████, with most of the ████████████████ tagged as “investigative technique” – suggesting that revealed the information could provide people with insights into how the information was gathered by US intelligence.

███ ██ ███ ███ ████ ██████ █ ███████ ████ █████ █████ ██ ██████ ██████ █████████████████ █████ ████████ ████████ ███ ███ ███████ ████████████ ██ ███████ █████ █████ █████ █ ██ ███ ███ █████ ███████ ██ █████████ ███ ██████ ████ █████ █ █████ ██ ████ ████ █████████ ██ ███ █████ █████ ████ ████ ██ ███ ███ ████████████ ████████ █████ ████████ ██ ███████ ██████ ██████ █████ ████████ ███████████ ██████ ████ ██████ ████ ████████ █████████ ██ ██████ ██ ████ ██ ██████ ██ █ ████ ████ ███████ ███ ███████████ ██████ ███████████ █████████████ █████████████ ██ ████████████ █████████████ ███ █████████ █████ ██ █████ ██ ████ ██ ██ █████ ████ ██████ ████████ ███████ ███████.

Who’s using Mueller Report Day to bury bad news? Facebook

The ███████████████ themselves have become a political firestorm, in large part because many suspect they are being used to hide information damaging to the president. But in this case, they do appear to be somewhat legitimate. Where they get more suspicious is in the areas of the █████████ Campaign’s interactions with Wikileaks.

But what does emerge is how much effort Russia put into disrupting the election and how attuned they were to what topics would get underneath Americans’ skin. That said, some of the propaganda was so blunt and unsubtle that it is hard to imagine that it would have had much of an impact in any prior election.

█████████ came with a populist message and devil-may-care attitude that resonated with angry voters and as a result what would previous have been laughed off as crude or un-American in its message suddenly became a political rallying cry.

The report gives numerous examples – including the names of Facebook groups and specific user accounts – that were used to spread this divisive and false information. And it highlights the senior █████████ campaign members that put a spotlight on these efforts.

The details of the abuse of social media networks and the hacking of Clinton campaign emails, leaked through Wikileaks, are well known but they are outlined in pretty thorough detail in the report. The report also includes lots of juicy details – if hacking and propaganda are your things – but they have been ███████████████.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/18/mueller_report_redacted/

Who’s using Mueller Report Day to bury bad news? If you guessed Facebook, you’re right: Millions more passwords stored in plaintext

library
crime | hacking | security

While journalists and netizens are distracted digesting the redacted 400-plus-page Mueller report, released within the past few hours, today will be a good day for spin doctors to bury bad news.

And Facebook just couldn’t pass up on the opportunity.

One hour before the long-awaited dossier by Robert Mueller – special counsel of the investigation into Russian interference in the 2016 United States presidential elections – began circulating in Washington DC and beyond, Facebook quietly amended an online press release it issued in March.

The press release in which the antisocial network admitted to storing hundreds of millions of its user account passwords in plain text in log files on its servers that were accessible by its internal staff. A rather clumsy move.

At the time, the Silicon Valley giant said, in addition to those millions upon millions of Facebook profile credentials, it also logged the passwords of “tens of thousands of Instagram users” in an unencrypted form on its systems, which its engineers may have seen while rifling through logs to hunt down bugs.

Facebook: Yeah, we hoovered up 1.5 million email address books without permission. But it was an accident!

Now the tech goliath has decided to revise that figure, and, well, let’s just say it massively underestimated that number.

“Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format,” the amendment reads today.

“We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

We’re sure the Mark-Zuckerberg-run corporate disaster scene can be trusted with that last statement. After all, it’s not like Zuck Co have ever lied, or distorted or been economical with the truth in the past. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/18/facebook_instagram_passwords/

How to Raise the Level of AppSec Competency in Your Organization

library
crime | hacking | security

Improving processes won’t happen overnight, but it’s not complicated either.

Every organization needs someone with the authority to set up governance over data and the software portfolio. That person would also have a defined seat at the executive table, contributing to the discussion around organizational risk.

It may be up to IT and software engineering teams to create infrastructure, set access controls, create custom applications, and configure environments to be resilient to attack and protect data, but it’s problematic to have those groups decide what “security””means, how to do it, and whether they’re accomplishing it. The bar for “how secure” must come from someone who stands for the business—and the CISO is an excellent choice.

Getting the right person in place and equipping him or her to be successful is the first step in raising the level of software security competence.

Understanding all the components of production software, including components brought in at build time, also is a foundational part of software security competence. So is having:

A way to verify security adherence in the organizational software development life cycle (SDLC).
Policies and standards specific to software and data security.
A software risk-ranking method that shows where to focus your efforts when time, people, or money are short.
A method to rank software projects.
A defined point of contact for engineers to ask security questions and who keeps them apprised of their security responsibilities.

Hundreds of organizations now have formal software security initiatives (SSIs) that have taken them from a “penetrate and patch” mentality to a proactive approach. Raising the level of software security competency won’t happen overnight, but it’s not complicated, either.

Traditionally, software security teams implemented time-consuming testing, and engineering’s waterfall and agile-fall processes mostly allowed time for it. The two teams usually coordinated well enough for each to do their job sufficiently, if not efficiently. Software security competency often focused on how many bugs the testing processes could find. That worked for those chartered with governance and risk reduction, but as software engineering began to rapidly evolve into agile processes, continuous integration/continuous delivery (CI/CD) toolchains, and a DevOps culture, that slow, bug-finding-at-the-end approach created unacceptable friction for the engineering group chartered with feature velocity.

In today’s CI/CD and DevOps world, raising organizational software security competency doesn’t mean using legacy security testing tools alongside engineering’s new processes. It means integrating tightly with engineering to provide cadence-friendly CI/CD tooling and culture-friendly DevOps processes. It means taking all that “sec” the SSI learned over the years and making it fit in CI/CD and DevOps to create your organization’s version of DevSecOps.

Of course, the SSI will still need solid fundamentals. Remember that software inventory? Does your inventory process still work when orchestration is bringing up and tearing down containers and virtual machines based with infrastructure-as-code automation? What about detecting in the SDLC whether required frameworks and APIs are being used correctly? There’s no point in doing penetration testing on software we already know is broken because it was designed or built poorly; that can be detected and resolved very early in software development.

In a CI/CD and DevOps world, every organization must build good “observability,” which is how well we can infer internal states of a system or process given its status or outputs. Good sensors tuned in accordance with nonfunctional security requirements and release acceptance criteria will tell everyone when the software is misbehaving, and the right people can immediately determine whether it’s a defect, an attack, or something else.

If CISOs don’t take the initiative now, their organizations will likely get into a variety of unproductive behaviors. Shadow IT groups will be doing cloud plumbing, shadow development groups will be creating glue code to make CI/CD tools talk to each other, shadow architecture groups will be making cloud blueprints that work but not securely, and so on. Once fielded, it may not be possible to unwind functioning, revenue-generating applications just because they didn’t go through any security gates.

Every firm needs assurance that the CISO is enabling the rapid deployment of acceptably secure software, regardless of whether she can watch every part of every SDLC every minute of the day. “I need assurance that my software portfolio is appropriately secure at any given time” is a significantly more mature management proposition than “I must run this test on that software when it gets to the end of that process.”

All stakeholders partnering so that everyone stays in cadence and improve together may be the greatest competency of all.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Sammy Migues is a principal scientist at Synopsys. He is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Migues is a respected thought … View Full Bio

Article source: https://www.darkreading.com/informationweek-home/how-to-raise-the-level-of-appsec-competency-in-your-organization/a/d-id/1334402?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple